Lab 6: Device Service Clusters (DSC)

This lab is designed to help you understand Device and Traffic Groups, as well as the process of building an Active-Standby HA pair. While there is a wizard, we will configuring this manually.

Base Networking and HA VLAN

You will be creating a high availability cluster using the second BIG-IP (bigip2) in your lab , so let’s prep our current BIG-IP and we will be creating a high availability VLAN.

  1. On bigip01.f5demo.com archive your configuration in case you need to revert.
  1. Go to System > Archives and create a new archive.
  2. You will be using your third interface (1.3) for Network Failover and ConfigSync. This requires certain ports to be open on the Self IP; TCP port 4353 for ConfigSync and TCP port 1026 for Network Failover and TCP port 6699 for the Master Control Program.
    1. Build a new untagged VLAN ha_vlan on interface 1.3
    2. Add a self-IP address to the VLAN, 10.1.30.245 net mask 255.255.255.0.
      1. Under Port Lockdown, select Allow Default, to open ports required for HA communications.
        1. Optionally you could select: Allow Custom and add TCP ports 4353,1026 and 6699
  1. Go to https://10.1.1.246 which is bigip02.f5demo.com and login with the credentials admin/f5UDFrocks!.
    1. bigip02 has already been licensed and provisioned. You will need to set up the base networking.
Interface Untagged VLAN Self IP Netmask
1.1 client_vlan 10.1.10.246 255.255.255.0
1.2 server_vlan 10.1.20.246 255.255.255.0
1.3 ha_vlan 10.1.30.246 255.255.255.0
  1. On the ha_vlan ip configure set Port Lockdown to Allow Default
  2. Build the default gateway destination 0.0.0.0, mask 0.0.0.0, gateway ip address 10.1.10.1
  3. What is the status your BIG-IPs? Check the upper left-hand corner next to the F5 ball.

Configure HA

  1. On each BIG-IP, prior to building the Device Trust it is recommended renewing the BIG-IP self-signed certificate with valid information and re-generating the local Device Trust certificate.

  1. Under System > Device Certificate > Device Certificate select the Renew… button

    1. Common Name: <the Hostname of the BIG-IP in the upper left corner>
    2. Country: United States (or your country of preference)
    3. Lifetime: 3650
      1. Lifetime is important, if your cert expires your HA setup will fail.
    4. Select Finished. Your browser will ask to exchange certs with the BIG-IP again.

  2. Under Device Management > Device Trust > Local Domain select Reset Device Trust…

    i. In the Certificate Signing Authority select Generate New Self-Signed Authority and hit Update.

    ii. On each BIG-IP configure the device object failover parameters the BIG-IP will send to other BIG-IPs that want to be a part of a sync-only or sync-failover group.

  3. Click Device Management > Device and select the local BIG-IP. It will have the self suffix.

    1. Under Device Connectivity on the top bar select:
      1. ConfigSync
      2. Use the Self IP address of the HA VLAN for your Local Address.
      3. Hit Update
    2. Network Failover
      1. In the Failover Unicast Configuration section select the Add button
      2. Use the Self IP address the HA VLAN for your Address
      3. Leave the Port at the default setting of 1026
      4. Note: Multicast is for Viprion chasses only.
      5. Select Finished
    3. Mirroring
    1. Primary Local Mirror Address: use the Self IP address of the HA VLAN for your
    2. Secondary Local Mirror Address: None
    3. Select Update
  1. On bigip01.f5demo.com build the Device Trust.
    1. Under Device Management > Device Trust > Device Trust Members and select Add to add other BIG-IP(s) you will trust.
      1. Device IP Address: <management IP address of the BIG-IP to add>
        1. You could use any Self IP if the out-of-band management interface is not configured.
      2. Enter the Administrator Username and Password of the BIG-IP you are trusting.
      3. Select Retrieve Device Information
        1. The certificate information and name from the other BIG-IP should appear
        2. Select Device Certificate Matches
      4. Select Add Device.
        1. On each BIG-IP check the other BIG-IP in the Peer Authorities list. Is all the information there?
../../_images/image66.png
  1. If some information is missing delete the trust and try again.
../../_images/image67.png

  1. What are the statuses of your BIG-IPs now?

    1. They should be In Sync. But wait! We haven’t even created a device group! But remember the Device Trust creates a Sync-Only group for the certificates under the covers (device-trust-group) and that should be in sync.
    2. Click on In Sync in the upper right corner or Device Management > Overview to see the device_trust_group.

  2. On bigip01.f5demo.com create a new Sync-Failover device group

    1. Under Device Management > Device Groups create a new device group.
      1. Name: my-device-group
      2. Group Type: Sync-Failover
      3. Add the members of the group to the Includes box and select Finished.
      4. Check Device Groups on each BIG-IP.
      5. Did you have to create the Device Group on the other BIG-IP?
        1. Is the full configuration synchronized yet? (No! Only the Device Group is sync’d)
      6. What is your sync status?
        1. It should be Awaiting Initial Sync
      7. Click on the sync status or go to Device Management > Overview (or click on Awaiting Initial Sync) of the BIG-IP with the good/current configuration.
      8. Click the device with the configuration you want to synchronize. Sync Options should appear.
      9. Push the selected device configuration to the group. It could take up to 30 seconds for synchronization to complete.
        1. What are the statuses of your BIG-IPs? Do you have an active-standby pair?
        2. Are the configurations the same?

  3. Now that you have created your HA environment. HA selections will show up for SNAT addressed (not tied to your base network), persistence profiles and connection mirroring on virtual servers.

    1. Go to your Active BIG-IP.
    2. Go to your persistence profile my-src-persistence and check the Mirror Persistence box.
    3. Go to your www_vs virtual server and set the Default Persistence Profile to my-src-persistence.
    4. Synchronize your changes. Did the changes sync?
    5. On each BIG-IP go to Module Statistics > Local Traffic and bring up the persistence record statistics.
      1. Go to the home page of you www_vs web service (http://10.1.10.100). Refresh a few times.
      2. Check the persistence records on each of your BIG-IPs, you should see the records are mirrored on each device.

  4. Go to Device Management > Traffic Groups. As you can see the default traffic group “traffic-group-1” already exists.

    1. Select traffic-group-1, check out the page information and then select Force to Standby.
    2. What are the statuses of your BIG-IPs? Go to your web page. What is the client IP?
    3. Go to your self-IP addresses. What traffic group are they in? What does it mean?
    4. Archive your work.